Recommended Posts

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.

Share on other sites

Guest Christian Anker, lege

Guest Christian Anker, lege

The Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, Consumer Action, the Gay & Lesbian Alliance Against Defamation (GLAAD), and the American Civil Liberites Union (ACLU) file this Additional Statement of Facts and Grounds for Relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of DoubleClick's Abacus Online Alliance. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

prohibit Web sites from registering their subscribers or visitors in the Abacus Online database without their affirmative consent.

In addition, because other businesses may be engaged in deploying a similar business model, we also request that the Commission:

enjoin businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent.

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts.

At the core of DoubleClick's Abacus Online Alliance's business model is the creation of a wide spread, tracking and profiling system keyed to the names and addresses of hundreds of thousands of Internet users. Due to DoubleClick's market position, this new business model has the potential to fundamentally alter the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded and tied specifically to their identity. While potential uses of the Intel PSN posed serious privacy threats and prompted CDT to request the FTC's involvement, the intent and business premise of DoubleClick's latest venture is a direct assault on individuals' ability to control their personal information and identity.

Consumers have been told by reputable sources -- business and public interest -- that "cookies" are relatively benign. In most circumstances this is accurate. Based on educational information directed toward consumers, it is fair to say that most consumers are likely to believe that "cookies" cannot be used to tie their online activities to their name, email, or address.

DoubleClick's new practices run contrary to average consumer's expectations. There are no limits -- technical or legal -- on the purposes for which information collected by DoubleClick can be used. Similarly, there are no limits on who can access the information collected by DoubleClick.

"Cookies" the tool used by DoubleClick to track and monitor individuals' online activities are not adequately under the control of the consumer. The dominant browsers do not allow consumers to differentiate between first-party and third-party "cookies." The "cookie" prompts found in the dominant browsers do not provide consumers with information about the purpose of the "cookie." "Cookies" are so widely used that disabling them significantly alters the individuals' ability to use the Web. Disabling "cookies" may interfere with electronic commerce, eliminate pass-words, and in other ways impede the Web experience. Turning "cookies" off is not an attractive option for many Web users.

DoubleClick concedes that their existing profiling business and their new business model pose risks to privacy. DoubleClick has attempted to down play privacy concerns by offering consumers the ability to "opt-out" of their tracking system and announcing a public education campaign. However, DoubleClick has not budged from their business model -- a model that depends upon enrolling individuals' in a wide spread monitoring and tracking venture without their informed, explicit, consent. The ability to "opt-out" does not adequately address the privacy concerns at issue. Many consumers do not know that DoubleClick exists: those that do are unlikely to know that they are creating identity based profiles. If an individual changes browsers or deletes their "cookie" file their "opt-out" is erased and must be re-executed. It is unclear whether the "opt-out" provided by DoubleClick covers the Abacus Alliance.

As the Commission has documented over the past five years, consumers care about their privacy, and protecting privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that DoubleClick's latest business venture as designed does not comport with concepts of privacy protection.

At its core, the Abacus Online Alliance establishes a system of wide spread tracking and monitoring of individuals' online behavior. CDT believes that DoubleClick's business plan will cause substantial injury to consumers' privacy, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

II

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect click stream data without providing notice and gaining an individual's consent, Web sites ability to collect identifying data is limited to instances where an individual voluntarily provides it (e.g. forms, purchases, conests). DoubleClick's business model will fundamentally change this. Today, the World Wide Web allows individuals to determine when and to whom to become identified. If DoubleClick's new business model takes root, it will shift the Web away from anonymity and toward identification by tying an individual's identity to a persistent unique identifier for use in tracking the individual's Web interactions at other DoubleClick sites.

If an individual provides identifying information such as a name and address during an online interaction with an Abacus Alliance member, their name and a "cookie" will be recorded in DoubleClick's database and used to profile their future online activities. Individuals do not have a relationship with DoubleClick or Abacus, yet this company is seeking the right to know who individuals are whenever they surface on a member Web site, and to disclose a profile of information about them where the individual has taken no action to reveal their identity. While DoubleClick's current privacy statement says that, "personally-identifiable information (e.g. name, address) in the Abacus Online database will not be sold or disclosed to any merchant, advertiser, or Web publisher," they have repeatedly altered their privacy policy [ 1 ] and reserve the right to do so at any time in the future. DoubleClick may change this policy at any time and begin disclosing individuals' identities to other entities.

B. Consumers have been told that "cookies" are benign and cannot be used to identify them.

"Cookies" are a relatively common feature of Web interactions. They are a protocol for storing and exchanging data. They can be used to store many different kinds of data and can be used for a variety of purposes. The business community has assured consumers that a "cookie" could not be used to identify them. In some instances consumers have been assured that only the Web site that set the "cookie" can retrieve it. While some Web sites explain that "cookies" can be used by a Web site to store personal information provided to the site by the user, including their name, consumers have generally been told that a "cookie" alone can not reveal their identity.

Examples from several Web sites illustrate this point:

"...If you are just browsing...(a) website, a cookie identifies only your browser. If you become a registered user...(of a) website (with a designated user ID and password), we may use cookies so that we can provide personalized information that we believe will be of value to you based on preferences you have indicated while visiting the site." [ 2 ]

"A cookie is a small data file that certain Web sites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited. But the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. [ 3 ]

"A Cookie is: A very small text file placed on your hard drive by a Web Page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie's Purpose is: To tell the server that you returned to that Web page."[ 4 ]

All of these statements are accurate statements about "cookies." However, DoubleClick through its Abacus Alliance contradicts these assertions by using "cookies" to identify individuals across multiple Web sites. [ 5 ] Therefore, consumers' expectations of "cookies" impact on their privacy are inconsistent with the actual impact of DoubleClick "cookies" on their privacy.

C. DoubleClick's new business model relies on "cookies" to identify Web site visitors -- where visitors have not revealed identifying information.

DoubleClick's latest business venture, the Abacus Alliance and the Abacus Online database, will use "cookies" to identify users' offline identities in instances where users have chosen not to affirmatively disclose identifying information. By tying subscriber information collected at Abacus Alliance Web sites to a unique identifier issued to the subscriber and stored on the user's computer in a DoubleClick "cookie," DoubleClick will know individuals' identities when they appear at other DoubleClick Network member Web sites.

D. Clickstream data collected from individuals at most DoubleClick Network Web sites will be contributed to the Abacus Online database that contains user's names, addresses, retail, catalog and online purchase history and demographic data.

According DoubleClick's privacy statement individuals' clickstream data collected at DoubleClick Network Web sites that are not participating in the Abacus Alliance is fed into the Abacus Online database. Where an individual's name and address have been provided by an Abacus Alliance member the the clickstream data on users collected by DoubleClick at these Network member Web sites can, using DoubleClick's "cookies" be associated with specific individuals.

E. Web sites that are part of the DoubleClick Network but are not participating in the Abacus Online system cannot assure users that clickstream data collected by DoubleClick is non-identifiable.

Because the Web sites in the DoubleClick Network do not know whether a visitor has provided name and address information to an Abacus Online Web site, they cannot with certainty know whether clickstream data collected by DoubleClick will be tied to the individual's offline identity. Therefore, DoubleClick Network members who currently believe, based on their relationship with DoubleClick, that they are not participating in the Abacus Alliance in effect are contributing users' data to the Abacus Online database of personal information.

Members of DoubleClick's network include Web sites that provide search engines, access to News and other content, and electronic commerce transactions. Altavista provides one of the leading search engines on the Web. When visitors use the Altavista search engine each search term is relayed to DoubleClick. An online delivery service that provides home delivery of goods and products to individuals in several major metropolitan areas was using DoubleClick. This site allows individuals to search for and rent videos. When individuals search for video titles or place an order for a video rental, this information is sent to DoubleClick. Web site that provides consumers with financial services such as tax preparation, salary and mortgage tests, and account management uses DoubleClick ads. When individuals enter salary and debt information at this site it is being relayed to Doubleclick. Although we do not know whether any of these sites are participants in the Abacus Alliance, according to DoubleClick's privacy statement information such as the search terms and movie titles sent to DoubleClick (called non-personally-identifiable information by DoubleClick) is fed into the Abacus Online database. If an individual has visited an Abacus Alliance Web site and registered or otherwise revealed identifying information, the search terms, movie titles and financial information can be merged, using DoubleClick "cookies" with identifying information about consumers. DoubleClick and the Abacus Alliance are collecting information that is considered sensitive under existing U.S. policy. After we contacted the delivery service, they immediately realized the severity of these concerns and no longer use DoubleClick to deliver their advertising. However, it remains clear that other companies may be turning over similar information to DoubleClick, perhaps without realizing.

G. The disclosure of video titles rented by specific individuals is illegal under U.S. law.

The disclosure by a video tape service provider of information identifying a persons as having requested or obtained specific video materials or services is generally prohibited by the Video Privacy Protection Act, 18 U.S.C.§2710 (1988). Unless an individual has given explicit consent for the disclosure of such information, the disclosure of such information is a violation of current U.S. law. Because data collected about video rentals may be fed by DoubleClick into the Abacus Online database where, using DoubleClick "cookies," it potentially can be associated with specific individuals, we have reason to believe that a breach of individuals' privacy could occur.

H. Current "cookie" implementations do not offer individuals meaningful control over data collection.

The default settings on commonly used browsers allow "cookies" to be set by both Web sites and third-parties such as DoubleClick. If users wish to enjoy the convenience of "cookies" at Web sites that they have chosen to provide information to they cannot disable (turn off) their "cookies." The only option for such individuals is to turn on the "cookie" prompt available in newer browsers. But turning on the "cookie" prompt sets off a wave of interference for each time a Web site seeks to set a "cookie" a dialogue box appears on the user's screen demanding that the cookie be accepted or denied. On some sites a user may need to reply to eight or ten "cookie" prompts on a single page. "Cookie" prompts do not provide users with information on which to make reasonable decisions about whether to accept or reject "cookies." It is difficult to discern who is setting the "cookie," there is no indication of the purpose for which it is being used, and the meaning of the information enclosed in the "cookie" is rarely disclosed to Internet users. Consumers are forced to choose between risking their privacy and degrading their Internet experience.

I. A large segment of the population is unaware of DoubleClick's collection of personal information.

While the computer savvy may be well aware of DoubleClick's activities, the average Internet user does not know that DoubleClick exists. These individuals have never willingly engaged in an interaction with DoubleClick, have never visited the DoubleClick Web site, have never provided DoubleClick with information about themselves. They are shocked to find out that DoubleClick knows anything about them.

J. DoubleClick has refused to tell consumers which Web sites are participating in the Abacus Alliance.

Despite requests from CDT, concerned citizens, and the media, DoubleClick has refused to provide information about the Web sites participating in their new business model. Individuals have no way to know which Web sites have contracted to provide subscriber information for the Abacus Online database. Therefore consumers are unable to avoid Web sites that may send their offline identifying information to the Abacus Online database.

K. A substantial portion of savvy Internet users are outraged at DoubleClick's plan to tie their clickstream activity to their offline identity.

On February 1, 2000, CDT began a consumer education and action campaign to alert Internet users to DoubleClick's new Abacus Alliance and provide consumers with information about how to protest this practice. Over the past twenty days over 40,000 individuals have used CDT's resource to "opt-out" of DoubleClick's system altogether. We understand that many more have chosen to "opt-out" at CDT's Operation Opt-out Web site and at DoubleClick's Web site.

25,000 visitors to CDT's Web site have written to DoubleClick protesting the Abacus Alliance business plan. Several thousand individuals have written to various companies that participate in the DoubleClick Network expressing concern with the Abacus Alliance plan and asking for a clarification of the members relationships with DoubleClick. From conversations with Web sites that participate in the DoubleClick Network, we have reason to believe that thousands of additional letters have been sent to both DoubleClick and it's Network members.

Many consumers have expressed a high level of concern. The following quotes (printed with permission) from letters sent to DoubleClick and its Network members illustrate the intensity of consumer concern:

"...Lastly, the statement made by a DoubleClick representative that I read in the USA Today article is an outrage: "Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says." Not only is that remark the height of irony, it reeks of arrogance. Apparently, from that remark, it's okay for DoubleClick's participating companies' privacy to be protected but not the average consumer!"

Carl Taleric

"...It's important for you to understand that it is not the use to which the information is put, it is the collection of the information itself that violates my privacy rights. Your customers do not have a right to gauge the effectiveness of their campaigns through the non-consensual use of personal information. If they cannot get that information willingly, and with the knowledge that it is being done for advertising purposes, then the company does not have a right to that information. I have no doubt you are correct when you state that you cannot "track" users in a traditional sense of the word. But as your network expands, you will be able to do just that. Regardless, I have the right to keep my identity private, even if I visit only one site. It's not the tracking--it's the method.

Whether or not you are taking steps to protect my privacy, you need to understand that it is not sufficient that it my privacy rights are only protected from your perspective. Since I am the only person who does not have any conflict of interest in protection of my own privacy, I remain the only person who I can trust to protect it. I am entitled to know which companies participate because my privacy is mine, and mine to protect as well. I may choose to refrain from giving these sites any information in the first place because that is my right."

Lauren Hirsch

"...You claim you cannot know my identity unless I give it to an Abacus Online participant. And you will not disclose the names of those participants, so that I cannot make an informed choice as to which websites I will give information to, because I DO NOT KNOW who is collecting my personal information for DoubleClick's databases! ... If you believe that just clamping down and 'riding this storm out' will make it all better, think again. Anti-privacy business practices do not pay. The only reason you are making a dime off of your Abacus program is that I and others have not yet worked hard enough in spreading the word about this crass duplicity. And we have not yet worked hard enough to put pressure where it really counts -- on the companies that do business with you. When they begin to understand that membership in your "Aliance" is a major liability, then perhaps we will see real change...We will re-double our efforts in this regard until you ANSWER THE QUESTION: What companies are participants in the Abacus Online Alliance? Your continued silence on this crucial point will determine many of our future actions. You can brush us off as 'irrelevant' at your own fiscal peril. Or, you can come clean and show us all that we have nothing to fear. It's up to you."

David Weiss

A. Unfairness

In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy.[ 6 ]

1. DoubleClick and the Abacus Alliance Injure Consumers' Privacy by Enrolling them without their Explicit Permission in a Profiling system that Deprives Them of Control over Their Identity and other Personal Information.

In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

In his separate statement on unfairness in the ReverseAuction.com settlement Commissioner Thompson said, "I believe that Reverse Auction's behavior caused substantial injury to members of the eBay community, that the injury could not have been avoided by those members, and it was not outweighed by countervailing benefits. I believe the harm caused in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time...[T]he injury caused by ReverseAuction's conduct, far from being speculative, is a tangible misappropriation of personal protected information..." [ 7 ]

DoubleClick's practices warrant a finding of unfairness. Consumers' personal identifying information is being fed into a database that allows for wide spread online profiling. Individuals are unable to take reasonable steps to protect themselves because DoubleClick has actively withheld information about participants in the Abacus Alliance.

The efforts of members of the DoubleClick Network to preserve their visitors' anonymity are thwarted by DoubleClick's submission of clickstream data collected from Network sites to the Abacus Online database.

The instability created by DoubleClick's failure to disclose participants in the Abacus Alliance and decision to contribute users'clickstream information from non-Alliance members to the Abacus Online database are undermining consumer confidence in the electronic marketplace at large. Companies who are using "cookies" in privacy-friendly ways may unfairly draw users' suspicion.

Like the finding in the ReverseAuction case, this practice will result in a tangible misappropriation of personal information that threatens individuals' ability to control information about their identity and undermines consumer confidence in electronic commerce.

a. The Abacus Alliance's business model raises a significant risk of concrete harm to consumers' privacy.

The Abacus Alliance's business model, and others like it, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are identified whenever they participate in online activities, communicate, or make purchases -- whether they have chosen to be or not. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumers' online privacy. Many of the activities that individuals engage in on the Web do not require the identification of the individual nor the collection of detailed personal profiles.

The Abacus Alliance's business model robs individuals of the ability to determine whether or not their identity is known. While other business models interfere with individual privacy by appending information about individuals' purchases and lifestyles to their names, DoubleClick and the Abacus Alliance are alone in being able to identify an individual, by name, through a "cookie." Using this system DoubleClick and the Abacus Alliance can provide information about an individual's online and offline experiences, in real-time, to a business that has no relationship with the consumer. Individuals should be able to control to whom and under what circumstances they are known.

The Abacus Alliance intends to enroll individuals in their identity based profiling system without their informed consent. Working with a select list of secret Web sites, the Abacus Alliance has contracted to receive subscribers' identities.

This business model will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. In fact, Web sites seeking to maintain visitors' anonymity may find their efforts undermined by DoubleClick's submission of clickstream data to the Abacus Online database.

There are no technical or legal limits on the collection, use, or disclosure of information collected by DoubleClick and the Abacus Alliance. Currently, there are no United States laws that would regulate, generally, the collection, use, or access to the information in the Abacus Online database.

The Abacus Alliance's business model threatens individuals' ability to control their identity and other personal information. Such practices undermine ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased collection and centralization of clearly personally identifiable data. Their practices place an intolerable burden on individuals who want to protect their privacy.

b. Consumers cannot reasonably avoid the harm.

Because DoubleClick dominates the ad serving market, and businesses, not consumers, choose which company serves advertisements at Web sites, consumers have little ability to avoid DoubleClick. While a growing number of consumers have "opted out" of DoubleClick's system, this places an unreasonable burden on consumers. Individuals cannot be expected to "opt-out" of a system that belongs to a business they have never knowingly had contact with. When consumers delete their "cookie" files or use a new browser their "opt-out" decision will become null unless they remember to "opt-out" again. Even where a consumer has "opted-out" of DoubleClick's profiling, if the consumer makes a purchase or registers with an Abacus Alliance member it is unclear whether their "opt-out" will apply.

DoubleClick has confounded the problem by failing to disclose the names of the businesses that have contracted to provide them with identifying information on subscribers. Therefore, even the subset of individuals who are aware of the Abacus Alliance's plan do not have the information to avoid the harm to their privacy. Simply put, consumers can't make market place decisions when information critical to informed decisions is purposefully withheld.

Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. This is particularly true when that information is their identity. As constructed, the Abacus Alliance and DoubleClick's business model deprives individuals of control over their personal information.

Due to the cumbersome nature of the "cookie" controls, individuals are likely to leave "cookies" on. Because DoubleClick is not transparent to consumers, and because consumers never willingly provide DoubleClick with personal information, the majority of consumers are unlikely to "opt-out" of DoubleClick's system. It is unclear whether "opting-out" at DoubleClick is equivalent to "opting-out" of the Abacus Alliance. Even if consumers availed themselves of participating Abacus Alliance Web sites "opt-out" mechanisms, this places an inappropriate burden on consumers for if a consumer forgets to "opt-out" at one Web site their identity may end up in the Abacus Online database profiling system forever more.

c. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

Many ad serving businesses and Web publishers have eschewed DoubleClick's plan to surreptitiously enroll individuals in their fully identifiable Abacus Alliance profiling system. Several of the ad serving companies have stated that they will not engage in such a practice. Although DoubleClick claims that consumers benefit from targeted advertising, all evidence that we are aware of indicates that consumer's are outraged by the unsolicited profiling that supports DoubleClick's model. While consumers are fond of features that allow them to actively choose the content they receive, consumers do not appear to find profiling beneficial to them. Even if DoubleClick put forth evidence that consumers like targeted advertisements online, this would not justify the collection of information such as name and address which is not needed for online ad serving. It appears that other businesses are able to provide effective advertising strategies in a fashion that raises far fewer privacy concerns.

2. The DoubleClick/Abacus Alliance business model violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with the availability of identifying information.

This week the Federal Trade Commission announced a series of events to highlight ways in which consumers can combat the risk of identity theft. The Commission's press release states:

"To best protect against becoming an ID theft victim, the agency gives the following guidance: Be careful about giving out your personal information. For example, don't give out personal identifying information (SSN, date of birth, mother's maiden name) to someone over the phone (or the Internet) when you haven't initiated the transaction...."

Unfortunately, if DoubleClick's business model moves forward this advice will be moot, for regardless of what steps consumers take to limit who has access to their personal identifying information DoubleClick will have it and be able to provide it to whom ever they see fit.

It is widely recognized that consumers must have meaningful control over their personal information. DoubleClick's business plan strips individuals of control over the most important pieces of their personal information, their identifying information.

In addition, DoubleClick's decision to submit information collected at DoubleClick Network member sites to the Abacus Online database interferes with the ability of Network members' ability to address the privacy concerns of their visitors. There is no way for a Network member to know whether an individual's clickstream data will be associated with offline identifying information contained in the Abacus Online database. Due to DoubleClick's actions, it is quite possible that the privacy statements at DoubleClick Network member Web sites are deceptive, despite the best intention of the Web sites.

3. Public Sentiment on Privacy

Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org) A recent study by the Univeristy of Pennsylvania's Wharton school found that fear of "third party monitoring" was the major reason for consumers dropping out of electronic commerce. http://www.wharton.upenn.edu/news/news_rel/wvtm.html

As the largest ad server in the consumer marketplace, DoubleClick's market decisions have far-reaching impact on consumers' online privacy.

Due to the high likelihood of harm to consumer privacy we respectfully request that the FTC enjoin DoubleClick and the Abacus Alliance from tying individuals' names, addresses, phone numbers, and emails to information collected through DoubleClick's cookies; and,

prohibit Web sites from registering their subscribers or visitors in the Abacus Alliance profiling system without their affirmative consent, which cannot be made a condition of participation.

Because other businesses may be deploying similar business models, we also request that the Commission enjoin all businesses from registering their subscribers in any third-party profiling system that ties personally identifiable information to online surfing habits absent the individual's affirmative consent, which cannot be made a condition of participation.

Businesses are obliged to limit the safety risks their products pose. DoubleClick's business model poses substantial risk to consumer privacy. While advertising may be, as DoubleClick tells us, a component of a thriving consumer online marketplace, identity-based profiling inappropriately and unnecessarily places privacy and advertising at odds.